Phishing Awareness Training: How to Protect Your Organization

By Michael X. Heiligenstein
September 25, 2020
Phishing

Phishing awareness training protects companies and organizations by building awareness of phishing tactics, and offering guidance on how team members can stay secure over email. Because phishing attacks aim to exploit people, no technical solution on its own can prevent phishing. So if you hope to stay secure, it’s crucial to educate the people within your organization.

As part of your phishing awareness training program, you’ll cover how to spot a phishing email, as well as some all-purpose email security best practices. And make sure to follow up on the training with positive reinforcement and continued testing to ensure your organization is protected from phishing attacks.

Phishing Awareness Training: What to Cover

A strong phishing awareness training program should cover three main areas: how to spot phishing emails, what to do when you come across one, and how to stay secure over email.

TIP: Make sure to include everyone in the training. Phish look for any weak point they can exploit, with a special eye out for executives with access to the real money. It’s vital that everyone participates in the training. No exceptions.

How to Spot a Phishing Email

To detect a phishing email, the most important places to look are the sender and any links within the email. You’ll also want to watch out for any strange behavior or requests for sensitive information.

Look closely at who it’s from

Let’s start with the sender. For every incoming email, click the “show details” arrow to check the sender information. The first thing you’ll notice is the from: line, which details what email address this message was supposedly sent from. If the email came from a dodgy URL you’ve never heard of before, you should watch out.

However, the from: line isn’t hard to fake. Through a technique known as email spoofing, a phish can send an email from any web domain they want. The following example took me two minutes to send, and at face value, could easily be mistaken for one sent from whitehouse.gov:

Let’s look at a legit example now:

How can we tell this email really came from Spotify? Check the mailed-by and signed-by lines. The right domain here shows that the email has been authenticated by your email service. You’ll also see “security” listed under email details, but that doesn’t mean much on its own – if you look back at the spoofed email example up above, you’ll see that anyone can add standard encryption.

Examine URLs carefully

You’ll also want to keep an eye out for any URLs in the text of an email. Many phishers use fake websites as a way to snag passwords or personal information – if you go to their fake website and type in your real password, it immediately becomes theirs to use.

The text of a URL in an email doesn’t always match the URL it’s pointing to. To get a quick glance, mouse over the link and look in the bottom left of your browser window. Look closely: phishers often book URLs that superficially resemble one you trust. One letter can make all the difference.

Watch out for suspicious behavior

Phishing emails come in many varieties. Some are easy to spot: if a deposed Nigerian prince you’ve never heard of sends you a typo-riddled email promising millions if you send him just a few thousand dollars, you might not need a magnifying glass to figure out he might not be who he says he is.

But many phish are more clever than that. They might copy a legit email you would expect to see from your bank, or personalize an email based on studious research so that it matches something you’d expect to see in your inbox. This personalized approach is called spearphishing, and done right, the email email looks exactly like something you would expect to receive.

Once they have one person in the organization’s login and password, they can then send emails from that person’s account. From there, they’ll continue to phish for greater access. And ince they’re already using an internal email, they’re practically indistinguishable from the real thing.

Train your employees never to divulge passwords or sensitive information over email. If someone at the company emails asking for login info, it’s best to follow up with them in person or over a call.

When They Spot a Phish

As part of your phishing awareness training, you’ll want to make it clear what your team members should do when they spot a phish. If you don’t have a system in place for reporting phish suspects, now’s the time to set it up.

The easier you make it, the more likely people are to report suspected phishing attempts. I would suggest setting up a dedicated email address they can forward suspect emails to, such as “phishing@yourcompany.com”. Don’t make people call a hotline or file a detailed report. The harder it is to report a phishing email, the fewer people will do so.

Crucially, urge your team members not to just forward suspected phishing emails willy-nilly. Every person they forward a phishing email to is another person who might fall into the phish’s trap. Even if they attach a warning, there’s always a risk the recipient will scan right past it and get hooked. It happens.

Email Security Best Practices

Finally, there are a few best practices your team should follow at all times to safeguard against phishing.

Most importantly, never blindly click through to the URL in an email. Your team members should at the very least mouse over every URL before they click. Even better, they should right click and copy the URL to their address bar, and pause for at least five seconds to examine it before pressing enter. They can also type the URL manually into the address bar. If it’s a site they go to often, such as a banking or invoicing service, this is the best option.

Everyone should be especially vigilant with passwords and personal information. If any website asks you for either, take a few seconds to doublecheck URL. Again, be careful: it’s common for hackers to set up fake websites. A one letter difference can be surprisingly hard to spot.

Finally, your team members should never divulge passwords or personal information over email unless strictly necessary. Again, much better to go over sensitive info in person or on a call. That way, they can be more certain of who they’re talking to, and there’s no paper trail of information that’s best kept as safe as possible.

To summarize:

  • Always mouse over URLs
  • Never just click on a URL
  • Right click to copy and paste the URL, or better yet, manually type in the website if you’ve been there before
  • Always check the sender
  • But never assume the from: info is accurate
  • Think for five seconds before you type in a password or sensitive information
  • Never divulge passwords or sensitive information over email unless strictly necessary
  • If you’re not sure, talk to the coworker, in person or on a call

Follow Up, and Test Test Test

Phishing awareness training isn’t a one-and-done type deal. You’ll want to follow up to ensure people have learned the lesson. Sending them a quiz or follow up exercises can help, but the best way is to give your organization a real life phishing test.

To fully test phishing, you need to fake phish your organization. It’s up to you whether you warn them first, but I would encourage doing so – the point of running these tests is not to call people out or leave them feeling hurt. Instead, it’s to determine how successful your phishing awareness training has been, and accurately assess just how vulnerable your organization is to phishing attacks.

To get started, you can use a free software such as Gophish to send emails and track results. You’ll want to try out a variety of techniques, not just the same emails over and over again. You can learn more about phishing testing here.

You’ll want to set up testing and training on an ongoing schedule. Phish will keep trying to scam your organization over email, looking for any weak link. All it takes is one person to slip up and your organization is compromised.

Consider Two-Factor Authentication

One last thing. If there’s any one tool I’d recommend organizations use to stay safe, it would have to be two-factor authentication. With two-factor authentication, a password alone isn’t enough to log into a business account – instead, another defense layer is in place. For instance, you might have to enter a one-time code texted to your phone. Yes, it takes an extra few seconds, but the slight inconvenience is worth it to dramatically cut the risk of your organization getting hacked into.

Two-factor authentication isn’t a replacement for awareness training. Cyberattackers thrive at the intersection of technology and people, relying on a combination of technological knowhow and social engineering to manipulate their way to their goal. But if you’re going to add one technical safeguard alongside your educational program, you can’t go wrong with two-factor authentication.

The Bottom Line

If you want to protect your organization from phishing attacks, phishing awareness training is a necessity. Go over how to spot phishing emails, how to report suspected phish, and email security best practices. Crucially, follow up with reinforcement and testing to make sure the lessons sink in and your organization is as safe as can be against phishing attacks.

Stay vigilant.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.